All weekend the question “A SQL injection attack, in 2015?” has been going around my head.

If you don’t understand why, you must have missed the news that UK Telco TalkTalk had suffered a major theft of data from what it appears were its woefully inadequate systems. If you don’t understand “SQL injection attack” I’m increasingly coming of the view that you aren’t fit to be in the boardroom of a listed company.

For the most part I’m fairly dismissive of the IT security industry. Parts of it (yes, you, Antivirus companies) appear to be little more than an elaborate protection racket. Others seem to be unable to understand that risks are things be assessed and managed, not thoughtlessly acted upon.

And it’s this crying wolf that I think means that we need to rethink how we address issues of technology management, including risk and security, in our institutions.

A couple of weeks ago I heard someone ask the question “Who ultimately is accountable for sales performance in an organisation?” The answer, fairly obviously, is the CEO. A Sales Director is responsible for the operational delivery, but its the man or woman at the top who has to answer to shareholders if revenue falls off a cliff.

Technology is becoming so much a part of the way in which organisations now operate that I believe we need to head to similar levels of accountability. Yet it’s still common to hear claims of Luddite-ness being worn as badges of honour in the boardroom in the way that an inability to add up numbers simply is not.

The IT Security industry cries wolf on irrelevances, and then usually pushes some new layer of technology to solve the problem. As TalkTalk have shown, if the problem is an inability for management to adequately assess risk and then act, the solution to cyber security does not lie in technology. It lies in changing behaviours – of customers, of suppliers, and of the people who manage and own those organisations.

4 thoughts on “Crying wolf

  1. “As TalkTalk have shown, if the problem is an inability for management to adequately assess risk and then act, the solution to cyber security does not lie in technology.”

    Indeed. I’ve noted before that CIOs complaining about “shadow IT” are barking up the wrong tree. It does no good to find the offenders if the CEO won’t do anything about it and the CEO won’t do anything about it if the offender can make a better case for using something unapproved than the CIO can for why they shouldn’t (n.b. the quality of the case and the quality of the presentation of that case are two very different things). When your own shop has flaws as egregious as those at TalkTalk, your case is sunk before you even make it.

    There’s a real need for the executive suite to get their head around this form of risk is as real as any other. IMO, there’s two ways for that to happen: one is for enough disasters to occur (with the accompanying financial fallout) that they can’t miss it, the other is for the CIO to abandon the Chief Geek role and learn how to actually portray risk and value in terms the business can understand.

  2. Maybe I am naive but I suspect that most of my CIO colleagues have long since shed the cardigan… Did you not notice that pile of mouldering wool in the corner? I agree that as executives, which we are regardless of whom we report to, we must be much better at making the case but I would posit that it is an addiction to being a victim that has left the technologist in the dark and time to punch back a little and for other execs to take their fingers out of their ears and stop going lalala a lot. I see a lot of in-bred eye rolling and poor behaviour of my exec colleagues when anyone from a supporting function opens their mouths. Courtesy and airspace are not that hard to do and both parties need to shift. Calling names does little to help.
    Having said that the blogger is bang on. The layering technology only hides unprofessional ‘bedroom coding’ and the like and it is time to stop. I must admit to giving tech companies very short shrift on the purchase of tech unicorns.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s